HIPAA Violation Cases

Detailed below is a summary of all HIPAA violation cases that have resulted in settlements with the Department of Health and Human Services’ Office for Civil Rights (OCR), including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations, and investigations of complaints submitted by patients and healthcare employees.

OCR has increased its enforcement activities over the past two years, with more HIPAA violation cases resulting in financial penalties, including settlements and civil monetary penalties. So far in 2017, there have been nine financial penalties issued to resolve HIPAA violation cases. In 2016, a record year for enforcement of HIPAA Rules, there were 12 settlements and one civil monetary penalty issued to resolve HIPAA violation cases.

By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated.

What are the Consequences of Violating HIPAA?

The consequences of violating HIPAA can be significant and it is important to note fines for a HIPAA violation can be applied by the HHS´ Office for Civil Rights (OCR) even if no breach of PHI has occurred. The financial consequences of violating HIPAA depend on the level of negligence and – if a breach has occurred – the number of records potentially exposed by the breach and the risk posed by the unauthorized disclosure:

A violation of HIPAA attributable to ignorance can attract a fine of $100 – $50,000.

A violation that occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.

A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000.

A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.

The figures listed above represent the fines that can be issued by OCR. Attorney Generals can also issue fines if a breach of PHI violates state laws; and – if it can be proven an individual has suffered harm due to the negligence of a Covered Entity or Business Associate – it is also possible for the individual to file a civil lawsuit for damages. In some jurisdictions, the amount of punitive damages awarded could far outweigh the maximum $1.5 million fine (per violation) that can be OCR.

HIPAA Violation Cases 2018

Cottage Health – Exposure of ePHI Over Internet

OCR agreed to settle multiple alleged HIPAA violations with Cottage Health for $3,000,000. In 2013 and 2015, protections on servers were accidentally removed and files containing ePHI could be accessed over the internet without the need for a username or password. The ePHI of 62,500 patients was exposed. OCR discovered risk analysis failures, risk management failures, a failure to conduct technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first entering into a business associate agreement. Read More…

Pagosa Springs Medical Center – Failure to Terminate Employee Access

OCR fined Pagosa Springs Medical Center $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI. The medical center had also failed to enter into a BAA with a business associate. Read More…

An OCR investigation into an impermissible disclosure of 9,255 individuals’ PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. A settlement of $500,000 was agreed to resolve the alleged HIPAA violations. Read More…

Allergy Associates of Hartford – PHI Disclosure to Reporter

OCR investigated a complaint about an impermissible disclosure of a patient’s PHI to a reporter. OCR confirmed that PHI had been disclosed without authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. Read More…

An investigation into Anthem Inc’s massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. Anthem agreed to a record-breaking settlement of $16,000,000 to resolve the case. Read More…

Boston Medical Center – Filming Patients Without Consent

Boston Medical Center was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Boston Medical Center agreed to settle the alleged HIPAA violations with OCR for $100,000. Read More…

Brigham and Women’s Hospital – Filming Patients Without Consent

Brigham and Women’s Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Brigham and Women’s Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. Read More…

Massachusetts General Hospital – Filming Patients Without Consent

Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Massachusetts General Hospital agreed to settle the alleged HIPAA violations with OCR for $515,000. Read More…

Filefax, Inc. – Failure to Protect Physical PHI

After the permanent closure of the company, paperwork containing former patients’ PHI was discarded by FileFax. The paperwork was taken by a member of the public who sold the material to a recycling facility. OCR determined there had been a failure to protect patient information which resulted in an impermissible disclosure of 2,150 patient records. FileFax agreed to settle the alleged HIPAA violations for $100,000. Read More…

OCR investigated three breaches involving the loss of a laptop computer and two unencrypted thumb drives containing patients’ PHI. OCR determined that there had been an impermissible disclosure of 34,883 patients’ ePHI due to a lack of encryption. The case was contested, but an administrative law judge ruled in favour of OCR. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. Read More…

HIPAA Violation Cases 2017

Memorial Hermann Health System – Careless Handling of PHI

Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Read More…

The Department of Health and Human Services’ Office for Civil Rights announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. Read More…

The Center for Children’s Digestive Health – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois has agreed to pay OCR $31,000 to resolve potential HIPAA violations. Read More…

CardioNet – Impermissible Disclosure of PHI

A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider. Read More…

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. Read More…

Memorial Healthcare System – Insufficient ePHI Access Controls

OCR has announced a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. Read More…

The Department of Health and Human Services’ Office for Civil Rights has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. Read More…

MAPFRE Life Insurance Company of Puerto Rico – Impermissible Disclosure of ePHI

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted. MAPFRE has agreed to a $2,200,000 settlement with OCR. Read More…

Presense Health – Delayed Breach Notifications

Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Presence Health took three months to issue breach notifications, when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. Read More…

HIPAA Violation Cases 2016

University of Massachusetts Amherst – Failure to Manage Security Risks

The Department of Health and Human Services’ Office for Civil Rights has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Read More…

St. Joseph Health – Failure to Conduct Risk Analysis

Exposure of ePHI as a direct result of the failure to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. The server had been purchased and a file sharing application installed, yet no changes were made to the application. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files. St. Joseph Health has agreed to pay OCR $2,140,500. Read More…

Care New England Health System – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Read More…

Advocate Health Care Network – Multiple HIPAA Violations

OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. The previous record was the $3.5 million settlement with Triple S Management Corporation agreed in November 2015. Read More…

University of Mississippi Medical Center – Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights announced yesterday that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. Read More…

Oregon Health & Science University – Lack of a Business Associate Agreement

Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health information of over 7,000 patients was exposed. Read More…

Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B). Read More…

New York Presbyterian Hospital – Filming Patients without Authorization

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from the patients. An ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed, but consent had not been obtained. Read More…

Raleigh Orthopaedic Clinic, P.A. of North Carolina – Lack of Business Associate Agreement

Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. Read More…

Feinstein Institute for Medical Research – Impermissible Disclosure of PHI

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second largest settlement amount agreed with OCR. The data breach investigation revealed a substandard security management process, and a catalogue of HIPAA Security Rule violations. Read More…

North Memorial Health Care of Minnesota – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Read More…

Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Read More…

Lincare, Inc. – Failure to Safeguard PHI

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. Read More…

HIPAA Violation Cases 2015

University of Washington Medicine – Failure to Conduct Risk Analysis

University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights, and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. Read More…

Triple S Management Corporation – Multiple HIPAA Violations

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. Triple S was also required to pay a HIPAA violation penalty of $6.8 million to the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. Read More…

Lahey Hospital and Medical Center – Multiple HIPAA Violations

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. Read More…

Cancer Care Group, P.C. – Failure to Conduct Risk Analysis

Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. Read More…

St. Elizabeth’s Medical Center – Multiple HIPAA Violations

A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that lead to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. Read More…

Cornell Prescription Pharmacy – Improper Disposal of PHI

OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. Cornell Pharmacy is a single location healthcare provider that mostly serves hospice care organizations in Denver and provides compound medications. Read More…

HIPAA Violation Cases 2014

Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. ACMHS has agreed to settle the case with OCR for $150,000. Read More…

Parkview Health System, Inc. – Failure to Safeguard PHI

Parkview Healthcare System has agreed to pay a $800,000 settlement for a violation of the HIPAA Privacy Rule. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one if its doctors. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctor’s driveway while he was out of the house. Read More…

New York and Presbyterian Hospital and Columbia University – Failure to Conduct Risk Analysis

Office for Civil Rights has agreed to its largest ever financial penalty for a violation of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines. New York and Presbyterian Hospital (NYP) and Columbia University (CU) will jointly pay a penalty of $4,800,000. Read More…

QCA Health Plan, Inc., of Arkansas – Failure to Safeguard ePHI

QCA Health Plan, Inc. of Arkansas reported the theft of a laptop from a car which contained unencrypted data on 148 patients. OCR investigated the breach and discovered multiple violations of the HIPAA Privacy and Security Rules. QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. Read More…

Concentra Health Services – Failure to Safeguard ePHI

Following the report of the theft of a laptop from the Springfield Missouri Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. Documentation was uncovered which clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. Concentra has agreed to pay OCR $1,725,220 to resolve the case. Read More…

Skagit County, Washington – Failure to Safeguard ePHI

Skagit County, Washington is paying the price for failing to implement the appropriate controls and safeguards to protect the data it held. Skagit County agreed to pay OCR $215,000 following the exposure of data of seven individuals. Data was accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. Read More…

HIPAA Violation Cases 2013

Adult & Pediatric Dermatology, P.C. – Failure to Safeguard ePHI

Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the center’s employees. A settlement of $150,000 has been reached with OCR. Read More…

Affinity Health Plan, Inc. – Failure to Permanently Erase ePHI

Office for Civil Rights has announced a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. A digital photocopier was returned to a leasing company; but the PHI stored on its hard drive had not been erased before the device was returned. Read More…

WellPoint – Failure to Safeguard ePHI

WellPoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policy holders across the United States. Between October 23, 2009 and March 7, 2010 part of its database of policy holders was accessible to unauthorized individuals. A settlement of $1,700,000 has been agreed with OCR to resolve the HIPAA violations that contributed to the cause of the breach. Read More…

An article published in the L.A Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. PHI had been intentionally provided to the media on three separate occasions. Read More…

Idaho State University – Failure to Safeguard ePHI

Idaho State University’s Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing medical health records of 17,500 its patients. The firewall was inactive for a period of 10 months leaving the data exposed and potentially accessible to unauthorized third parties for an unacceptable period of time. A settlement of $400,000 was agreed with OCR to resolve the HIPAA violations. Read More…

HIPAA

Compliance

Checklist

Simple Guidelines Immediate PDF Download
Written by HIPAA Journal

Name *

Work Email *

Phone *

Immediate Access.Confidentiality guaranteed.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.